Advanced Software Protection: Integration, Research and Exploitation D7.02 ASPIRE Dissemination Plan Project no.: Funding scheme: Start date of the project: Duration: Work programme topic: 609734 Collaborative project 1st November 2013 36 months FP7-ICT-2013-10 Deliverable type: Deliverable reference number: WP and tasks contributing: Due date: Actual submission date: Report ICT-609734 / D7.02 / 1.01 WP 7 / Tasks 7.1 October 2014, M12 21 November 2014 Responsible Organization: Editor: Dissemination Level: Revision: UGent Bjorn De Sutter Public 1.01 Abstract: We present an overview of the dissemination activities undertaken in year 1 of the project. We present an update to the global dissemination strategy as described in the Description of Work, and present individual dissemination plans of all project partners. Keywords: website, presentations, poster, leaflet, logo, workshops, publications, tutorials, press release D7.02 - ASPIRE DISSEMINATION PLAN Editor Bjorn De Sutter (UGent) Contributors (ordered according to beneficiary numbers) Cataldo Basile (POLITO) Brecht Wyseur (NAGRA ) Mariano Ceccato (FBK) Paolo Falcarin (UEL Michael Zunke (SFNT) Jerome D'Annovile (GTO) The ASPIRE Consortium consists of: Ghent University (UGent) Coordinator & Beneficiary Belgium Politecnico Di Torino (POLITO) Beneficiary Italy Nagravision SA (NAGRA) Beneficiary Switzerland Fondazione Bruno Kessler (FBK) Beneficiary Italy University of East London (UEL) Beneficiary UK SFNT Germany GmbH (SFNT) Beneficiary Germany Gemalto SA (GTO) Beneficiary France Coordinating person: E-mail: Tel: Fax: Project website: Prof. Bjorn De Sutter [email protected] +32 9 264 3367 +32 9 264 3594 www.aspire-fp7.eu Disclaimer The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under grant agreement n° 609734. The information in this document is provided as is and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. ASPIRE D7.02 PUBLIC I D7.02 - ASPIRE Dissemination Plan Document Revision History Version 1.0 21 Nov 2014 Original deliverable submitted to the EC. Version 1.01 4 Dec 2014 Publication nr 7 by Mariano Ceccato (which was forgotten in v1.0) was added in Section 2.1. No other changes. ASPIRE D7.02 PUBLIC II D7.02 - ASPIRE Dissemination Plan Executive Summary This report first lists and details the dissemination activities undertaken by the consortium partners in Year 1 of the project. These activities can be summarized as follows: • • • • • • • • • • • • • 6 scientific publications; a PowerPoint presentation template; 16 presentation activities where ASPIRE results were disseminated to expert audiences; 5 more such activities planned for early in Year 2; an accepted proposal for organizing the first ASPIRE workshop collocated with the International Conference on Software Engineering (ICSE) in May 2015; the ASPIRE project website, consisting of a public and private part; 10 dissemination activities to the general public, including press releases taken up by ACM TechNews, and an interview with the coordinator broadcasted on Flemish local public television at the time of the project kick-off meeting a project logo; a 4-page A4 project leaflet; an A0 project poster; social media activities (LinkedIn and Twitter); cooperation with other projects; the interview for the EU Yearbook compiled in the FP7 project SecCord. Next, the deliverable presents the major project-wide dissemination plans for years two and three, as extensions and implementations of the project dissemination strategy that was already detailed in the project Description of Work, and that is partitioned into three phases: an awareness phase, a result phase, and an exploitation phase. The main update to this strategy is that we plan to organize two workshops and one or more tutorials, collocated with major dissemination and networking events of different scientific communities, such as software engineering (see ICSE above), compiler technology (conference of the HiPEAC Network of Excellence), and software and system security. Finally, each of the partners presents his individual plans for disseminating their results in years 2 and 3 of the project and following the project. ASPIRE D7.02 PUBLIC III D7.02 - ASPIRE Dissemination Plan Contents Section 1 Dissemination Strategy ......................................................................... 1 1.1 Initial Overall Dissemination Strategy ................................................................ 1 1.2 Status after Year 1............................................................................................. 2 Section 2 Dissemination Activities Started in M01-M12 ..................................... 3 2.1 Scientific Publications ........................................................................................ 3 2.2 Presentations, Participation in Conferences...................................................... 3 2.2.1 Presentation Template ............................................................................................. 3 2.2.2 Activities in M01-M12 ............................................................................................... 4 2.2.3 Upcoming ASPIRE Dissemination Activities ............................................................ 7 2.2.4 First ASPIRE workshop ............................................................................................ 8 2.3 ASPIRE Project Website ................................................................................... 8 2.3.1 Public ASPIRE Website http://www.aspire-fp7.eu .................................................... 8 2.3.2 Restricted Area of ASPIRE Website ...................................................................... 16 2.4 Presentation of the Project to the General Public............................................ 16 2.4.1 Web, Press Releases, Articles in Popular Press, TV Footage ............................... 16 2.4.2 Project Logo ........................................................................................................... 18 2.4.3 Project Leaflet ........................................................................................................ 19 2.4.4 Project Poster ......................................................................................................... 24 2.4.5 Social Media ........................................................................................................... 25 2.4.6 Cooperation with Other Projects ............................................................................ 25 2.4.7 Interview for EU Yearbook ..................................................................................... 25 Section 3 Global Dissemination Plan Years 2 - 3 ............................................... 26 Section 4 Per Partner Dissemination Plans ........................................................ 27 4.1 Ghent University .............................................................................................. 27 4.2 Politechnico Di Torino...................................................................................... 28 4.3 Nagravision...................................................................................................... 29 4.4 Fondazione Bruno Kessler .............................................................................. 30 4.5 University of East London................................................................................ 31 4.6 SFNT Germany ............................................................................................... 32 4.7 Gemalto ........................................................................................................... 32 Section 5 List of Abbreviations ........................................................................... 33 Appendix A ASPIRE D7.02 First ASPIRE Workshop Proposal ................................................. 34 PUBLIC IV D7.02 - ASPIRE Dissemination Plan List of Figures Figure 1 - Examples of ASPIRE presentation template ........................................................... 4 Figure 2 - Screenshot of the top part of the home page on the ASPIRE website .................. 10 Figure 3 - Screenshot of the bottom part of the home page on the ASPIRE website ............ 11 Figure 4 - Screenshot of the ASPIRE website home page on an (old) iPhone 3G. ............... 11 Figure 5 - Screenshot of the consortium page on the ASPIRE website ................................. 12 Figure 6 - Screenshot of the about page with links to presentations on the ASPIRE website13 Figure 7 - Screenshot of the knowledge base page on the ASPIRE website ........................ 13 Figure 8 - Screenshot of the related work page on the ASPIRE website ............................... 14 Figure 9 - Screenshot of the ASPIRE webpage with the list of deliverables .......................... 15 Figure 10 - Unique users per country visiting the ASPIRE website since June 2014 ............ 15 Figure 11 - Screenshot local television interview/report on AVS ........................................... 18 Figure 12 - Screenshot local television report on TGVerona ................................................. 18 Figure 13 - ASPIRE logo ........................................................................................................ 19 Figure 14 - ASPIRE buttons ................................................................................................... 19 Figure 15 - Front page ASPIRE leaflet ................................................................................... 20 Figure 16 - Page 2 ASPIRE leaflet ......................................................................................... 21 Figure 17 - Page 3 ASPIRE leaflet ......................................................................................... 22 Figure 18 - Back page ASPIRE leaflet ................................................................................... 23 Figure 19 - ASPIRE poster ..................................................................................................... 24 ASPIRE D7.02 PUBLIC V D7.02 - ASPIRE Dissemination Plan Section 1 Dissemination Strategy Section Authors: Bjorn De Sutter (UGent) 1.1 Initial Overall Dissemination Strategy The initial ASPIRE dissemination strategy was first described in the DoW - Annex 1 Section B3.2.1 as follows: Dissemination activities ensure the visibility and awareness of the project and support of the widest adoption of its results in industry and research. The external dissemination activities will be coordinated in WP7, in three phases. Awareness phase Raising public awareness involves the setting up of the basic marketing materials and awareness-raising presentations about the project and its goals. Thus, the main activities will be the following: • • • • Setting up a common project design, such as an ASPIRE logo, templates for documents and presentations. Creating and maintaining the project website, which will describe the challenges and the goals of the project and which will introduce the project members. Designing the project information materials (such as a leaflet and an introductory off the shelf presentation), which can be distributed later on without investing greater efforts. Giving introductory presentations at conferences and workshops about the challenges and goals of ASPIRE to raise awareness among the scientific and industrial stakeholders and to establish the brand name of ASPIRE. Result phase For promoting the results of the ASPIRE project, this phase will address stakeholders in software protection technology. The planned activities, mainly for but not limited to the nonindustrial partners, are: • • • • • Display and promote public deliverables and news for viewing and downloading on the project website in order to show the liveliness and progress of the project and to keep interested parties up-to-date. Presentations at international conferences and workshops introducing the findings of the ASPIRE project. These presentations will still be research-oriented. The project will participate to the International Summer School on Information Security and Protection - Software Protection (ISSISP) when it comes back to Europe (scheduled for 2014) to disseminate results directly to PhD students and young researchers, but also to industrial participants. High-quality papers will be submitted to scientific and industry conferences. The ASPIRE consortium will publish and disseminate press releases after reaching important milestones. Currently, software protection is more art than an engineering discipline. In fact, in order to elaborate complicated tricks to protect the code, security experts need to spent at least the same amount of time as the potential attackers determined to port attacks. The ASPIRE project intends to promote the culture of an engineering approach to quantitative software ASPIRE D7.02 PUBLIC Page 1 of 37 D7.02 - ASPIRE Dissemination Plan protection. The channels for the dissemination of the projects results therefore also include venues in the area of software engineering, measurements and empirical studies. In the area of software security, the main conferences and journals that ASPIRE will target include the ACM Conf. on Computer and Communications Security (CCS), Usenix Security Symp., IEEE Security & Privacy, IFIP Conf. on Communications and Multimedia Security, Symp. on Engineering Secure Software and Systems, and Whiley Journal of Security and Communication Networks. In the area of software engineering, measurements and empirical studies, ASPIRE will consider ACM Trans. on Software Engineering and Methodology, IEEE Trans. on Software Engineering, ACM Conf. on Software Engineering, IEEE Working Conf. on Source Code Analysis and Manipulation, IEEE Conf. on Program Comprehension, IEEE Working Conf. on Reverse Engineering, Symposium on Empirical Software Engineering and Measurement (ESEM) and Workshop on Measurability of Security in Software Architectures, among others. Exploitation phase Specific activities of this phase, mainly for but not limited to, the industrial partners include: • • • • Exploitation-oriented upgrade of the project website, including optimisation for search engines and optional registration for specific keywords. Participation at several exhibitions, fairs and workshops, where the results of the project could be presented to business stakeholders and contacts for potential commercial projects could be built. Organization of an ASPIRE workshop collocated with a major networking event or conference. Individualised demonstrations for interested stakeholders during the negotiation of business projects. The result and exploitation-oriented dissemination activities will be planned in M12 of the project in the form of a Dissemination Plan deliverable (D6.02). At the end of the project, a Dissemination Report will be delivered (D7.04). Detailed descriptions of the individual partners' dissemination strategies are presented in Annex II. 1.2 Status after Year 1 All activities of the awareness phase have been conducted as originally planned. Also the activities for the Result phase and the Exploitation phase as documented later in this deliverable are a direct realization of the above strategy. ASPIRE D7.02 PUBLIC Page 2 of 37 D7.02 - ASPIRE Dissemination Plan Section 2 Dissemination Activities Started in M01-M12 Section Authors: Bjorn De Sutter (UGent) 2.1 Scientific Publications 1. Yosief Weldezghi Frezghi Code Diversity: Code Obfuscation and Clustering Heuristic to Prevent Code Tampering Master Thesis, University of Trento, Department of Information Engineering and Computer Science. Advisor: Luigi Palopoli, Second Supervisor: Mariano Ceccato. Academic Year 2013-2014 2. Biniam Fisseha Demissie Implementation and Assessment of Data Obfuscation for C/C++ Code Based on Residue Number Coding. Master Thesis, University of Trento, Department of Information Engineering and Computer Science. Advisor: Bruno Crispo, Second Supervisors: Mariano Ceccato and Roberto Tiella. Academic Year 2013-2014. 3. Bjorn De Sutter Evaluating the Strength of Software Protections (Abstract) Challenges in Analysing Executables: Scalability, Self-Modifying Code and Synergy, Report from Dagstuhl Seminar 14241, 2014, p. 54 4. Paolo Tonella, Mariano Ceccato, Bjorn De Sutter, Bart Coppens A Measurement Framework to Quantify Software Protections (Poster + Extended Abstract) Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, 2014, p. 1505-1507. 5. Bjorn De Sutter Towards a Unified Framework for Evaluating the Strength of Software Protections (Extended Abstract) Proc. of the ARO Workshop on Continuously Upgradeable Software Security and Protection, 2014, p. 34-35. 6. Brecht Wyseur Reflections on Software Renewability from an Industry Perspective (Extended Abstract) Proc. of the ARO Workshop on Continuously Upgradeable Software Security and Protection, 2014, p. 36-37. 7. Mariano Ceccato On the Need for More Human Studies to Assess Software Protection (Extended Abstract) Proc. of the ARO Workshop on Continuously Upgradeable Software Security and Protection, 2014, p. 55-56. 2.2 Presentations, Participation in Conferences 2.2.1 Presentation Template In order to streamline the dissemination of ASPIRE results and create a recognition of ASPIRE graphical material in the software protection community, a PowerPoint presentation template was designed. Some example slides are depicted in Figure 1. ASPIRE D7.02 PUBLIC Page 3 of 37 D7.02 - ASPIRE Dissemination Plan Figure 1 - Examples of ASPIRE presentation template 2.2.2 Activities in M01-M12 1. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: Countries Addresses: URL: ASPIRE D7.02 Conference Bjorn De Sutter, UGent A Golden Standard for Evaluating Software Protection against Man-at-the-End Attacks Vienna (AU) 20/01/2014 25 Keynote speech at the Cryptography and Security in Computing 2 Systems (CS ) workshop (col. with the HiPEAC conference) International https://aspire-fp7.eu/content/about PUBLIC Page 4 of 37 D7.02 - ASPIRE Dissemination Plan 2. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: Countries Addresses: 3. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: Countries Addresses: 4. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: Countries Addresses: 5. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: Countries Addresses: 6. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: Countries Addresses: 7. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: Countries Addresses: ASPIRE D7.02 Exhibition Brecht Wyseur, NAGRA ASPIRE: Advanced Software Protection: Integration, Research and Exploitation Brussels (BE) 28/03/2014 480 Poster at the EU Cybersecurity Strategy - High Level Conference International Presentation Paolo Falcarin, UEL Software Protection Research Overview London (UK) 20/01/2014 20 Internal presentation to research development team at UEL to plan for knowledge transfer and collaborations National Presentation Cataldo Basile, POLITO ASPIRE: Advanced Software Protection: Integration, Research and Exploitation Torino (Italy) 26/02/2014 15 Internal presentation to the TORSEC group of Politecnico di Torino National Presentation Cataldo Basile, POLITO ASPIRE: Advanced Software Protection: Integration, Research and Exploitation Torino (Italy) 14/03/2014 20 Internal presentation to SECURED team of the Politecnico di Torino National Presentation Antonio Lioy, POLITO ASPIRE: Advanced Software Protection: Integration, Research and Exploitation Torino (Italy) 5/12/2013 150 Presentation of the ASPIRE project to the Master students of the course 03GSD “Sicurezza dei sistemi informatici” (Computer systems security) National Presentation Antonio Lioy, POLITO ASPIRE: Advanced Software Protection: Integration, Research and Exploitation Torino (Italy) 9/12/2013 100 Presentation of the ASPIRE project to the Master students of the course 02KRQ “Computer System Security” National PUBLIC Page 5 of 37 D7.02 - ASPIRE Dissemination Plan 8. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: Countries Addresses: 9. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: Countries Addresses: 10. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: Countries Addresses: URL: Presentation Paolo Falcarin, UEL Software Protection London (UK) 30/04/2014 20 UEL Expert Series: academics are invited to present their work to audience of small-medium enterprises National Presentation Mariano Ceccato, FBK Code Diversity: Code Obfuscation and Clustering Heuristic to Prevent Code Tampering Trento (IT) 12/03/2014 30 Master thesis defense by Yosief Weldezghi Frezghi, under supervision of Mariano Ceccato National Presentation Bjorn De Sutter, UGent Evaluating the strength of software protections Dagstuhl (DE) 11/06/2014 44 Dagstuhl Seminar on "Challenges in Analysing Executables: Scalability, Self-Modifying Code and Synergy" International http://www.dagstuhl.de/en/program/calendar/semhp/?semnr=14241 11. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: Countries Addresses: URL: Lecture Bjorn De Sutter, UGent Evaluating the strength of software protections Verona (IT) 30/07/2014 35 Lecture of 3 hours at ISSISP Summer School on Software Protection, International http://issisp2014.di.univr.it/ 12. Activity: Lecture Brecht Wyseur, NAGRA White-box Cryptography Verona (IT) 28/07/2014 35 Lecture of 3 hours at ISSISP Summer School on Software Protection, International http://issisp2014.di.univr.it/ Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: Countries Addresses: URL: 13. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: Countries Addresses: URL: ASPIRE D7.02 Presentation Jens Van den Broeck, UGent The ASPIRE project Verona (IT) 31/07/2014 35 Poster presentation at ISSISP Summer School on Software Protection, International http://issisp2014.di.univr.it/ PUBLIC Page 6 of 37 D7.02 - ASPIRE Dissemination Plan 14. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: 15. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: 16. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: Countries Addresses: Presentation Brecht Wyseur, NAGRA An introduction to ASPIRE Cheseaux, CH 10/09/2014 50 Brecht presented the project to NAGRA's group-wide security experts Presentation Brecht Wyseur, NAGRA The ASPIRE use case demonstrator Cheseaux, CH 11/09/2014 20 Presentation during company internal Technical Session Workshop Presentation Mariano Ceccato, FBK Implementation and Assessment of Data Obfuscation for C/C++ Code Based on Residue Number Coding Trento (IT) 14/10/2014 30 Master thesis defense by Biniam Fisseha Demissie, under supervision of Mariano Ceccato National 2.2.3 Upcoming ASPIRE Dissemination Activities 1. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: Countries Addresses: URL: Note: 2. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: Countries Addresses: URL: 3. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: ASPIRE D7.02 Conference Mariano Ceccato, FBK A Measurement Framework to Quantify Software Protections Scottsdale (USA) 04/11/2014 400-500 Poster presentation at 21st ACM Conference on Computer and Communications Security (AACM CCS 2014) International http://www.sigsac.org/ccs/CCS2014/pro_poster.html Due to sickness of the presenter, this presentation was cancelled at the last minute Conference Bjorn De Sutter, UGent Towards a Unified Framework for Evaluating the Strength of Software Protection Scottsdale (USA) 07/11/2014 25 Invited position paper, ARO Workshop on Continuously Upgradeable Software Security and Protection International http://ssp2014.di.univr.it/ Conference Brecht Wyseur, NAGRA Reflections on Software Renewability from an Industry Perspective Scottsdale (USA) 07/11/2014 25 Invited position paper, ARO Workshop on Continuously Upgradeable Software Security and Protection PUBLIC Page 7 of 37 D7.02 - ASPIRE Dissemination Plan Countries Addresses: URL: International http://ssp2014.di.univr.it/ 4. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: Countries Addresses: Conference Bjorn De Sutter, UGent The ASPIRE project Amsterdam (NL) 21/01/2015 500 Poster presentation at the HiPEAC Conference 2015 International 5. Activity: Main Leader: Title: Place: Date: Audience Size: Type and Goal Event: Conference Bjorn De Sutter, UGent The ASPIRE project Amsterdam (NL) 20/01/2015 rd Poster presentation at the 3 Workshop on Transfer to Industry and Start-Ups International Countries Addresses: 2.2.4 First ASPIRE workshop In its description of Task T7.1, the ASPIRE DoW has foreseen the organization of an ASPIRE workshop to serve as a dissemination and networking event. In the project dissemination plan, we propose to go further than one workshop, and to organize multiple workshops, collocated with conferences that attract researchers and practitioners in different related fields. For the first such workshop, we target the he 37th International Conference on Software Engineering (ICSE, http://2015.icse-conferences.org/) that will be organized in Florence (IT) on 16-24 May 2015. With such a workshop, we aim to reach the software-engineering community, with which we want to interact regarding the usability aspects of ASPIRE technology in the hands of non-security experts. On 10 October, a workshop proposal was submitted to ICSE. It is included in Appendix A. On 20 November, we got the notification from the ICSE Workshop Committee Co-Chairs that the proposal was accepted. We will hence commence its organization and the design of a workshop website shortly. 2.3 ASPIRE Project Website 2.3.1 Public ASPIRE Website http://www.aspire-fp7.eu To serve the broadest possible visibility of the project, the project website was launched in the first month of the project. The website builds on the Drupal Content Management System (https://drupal.org/). All pages on this public website are available for everyone, it is not necessary to login. The website can be accessed with all major browsers, and a Drupal Theme was licensed and is used that automatically adapts and reformats the page layout for the screen sizes and resolutions used on today's wide variety of Internet access points, ranging from small, touchscreen smart phones, over larger screen tablets, to laptops and desktop computers. The website will be maintained until three years after the end of the project. After its initial launch, content has been gradually added to the website to turn it into a kind of software protection knowledge base. Currently, the public part of the website consists of the following pages: ASPIRE D7.02 PUBLIC Page 8 of 37 D7.02 - ASPIRE Dissemination Plan • • • • • • • Home: General introduction to the project, brief overview of consortium by means of partner logos. See Figure 2 and Figure 3 for screenshots of the p home age on a desktop browser. Figure 4 shows a screenshot on the iOS smartphone browser as demonstration of the portability of the used theme. Consortium: Description of all project partners and their principal investigators. See Figure 5. Contact: Contact form and coordinator contact information. About: Some more information about the project, and links to press releases and presentations about the project by the coordinator. See Figure 6. Knowledge Base: A publication database can be interfaced through the ASPIRE website knowledge base. Currently the publications can be selected and ranked based on subject (metrics, obfuscations, program analyses, ...) and year. See Figure 7. Related: A page where links to related journals, conferences, summer schools, projects, etc. will be maintained. See Figure 8. Deliverables: A webpage that lists all project deliverables, where public ones will be made available once accepted by the EC. See Figure 9. Early on in year two, when the project enters the results phase in which the first major publishable results and milestones should be achieved, a news page will be added that will continuously be updated with relevant project news and related news. From year two on, when the ASPIRE Compiler Tool Chain can be deployed on more than toy examples and when more protections can be applied, the project coordinator and the responsible for dissemination will also create short demonstration videos to be placed online, e.g., on YouTube or Vimeo, and linked on the website. Due to a configuration issue that was not resolved until late May 2014, we can only present Google Analytics results for the period June 2014 - now: month sessions users new users June 169 105 57.40% July 160 124 68.12% August 157 128 74.52% September 262 179 61.83% October 226 160 61.50% As shown in Figure 10, which depicts the number of new users per country, the ASPIRE website draws worldwide attention. ASPIRE D7.02 PUBLIC Page 9 of 37 D7.02 - ASPIRE Dissemination Plan Figure 2 - Screenshot of the top part of the home page on the ASPIRE website ASPIRE D7.02 PUBLIC Page 10 of 37 D7.02 - ASPIRE Dissemination Plan Figure 3 - Screenshot of the bottom part of the home page on the ASPIRE website Figure 4 - Screenshot of the ASPIRE website home page on an (old) iPhone 3G. ASPIRE D7.02 PUBLIC Page 11 of 37 D7.02 - ASPIRE Dissemination Plan Figure 5 - Screenshot of the consortium page on the ASPIRE website ASPIRE D7.02 PUBLIC Page 12 of 37 D7.02 - ASPIRE Dissemination Plan Figure 6 - Screenshot of the about page with links to presentations on the ASPIRE website Figure 7 - Screenshot of the knowledge base page on the ASPIRE website ASPIRE D7.02 PUBLIC Page 13 of 37 D7.02 - ASPIRE Dissemination Plan Figure 8 - Screenshot of the related work page on the ASPIRE website ASPIRE D7.02 PUBLIC Page 14 of 37 D7.02 - ASPIRE Dissemination Plan Figure 9 - Screenshot of the ASPIRE webpage with the list of deliverables Figure 10 - Unique users per country visiting the ASPIRE website since June 2014 ASPIRE D7.02 PUBLIC Page 15 of 37 D7.02 - ASPIRE Dissemination Plan 2.3.2 Restricted Area of ASPIRE Website As can be seen at the top of the screenshot in Figure 2, the ASPIRE website allows consortium members to register and log in to the website. After doing so, the private part of the website can be accessed. This part includes • • • • • wiki pages used for internal dissemination of relevant information that needs to be updated regularly; a Steering Board page linking and listing all information regarding the boards' meetings, such as agendas and minutes; an action tracker page listing all ongoing actions, deadlines, progress states, etc.; mailing list archives; the project SVN repository. 2.4 Presentation of the Project to the General Public 2.4.1 Web, Press Releases, Articles in Popular Press, TV Footage 1. Activity: Main Leader: Title: Date: Audience Size: Type and Goal Event: Countries Addresses: URL: Web UGent ASPIRE Public Website 01/11/2013 Website goes online International https://www.aspire-fp7.eu/ 2. Activity: Main Leader: Title: Press Release UGent Gentse onderzoekers ontwikkelen sterke bescherming voor mobiele software en diensten. 04/11/2013 Online press release Belgium http://www.ugent.be/ea/nl/actueel/nieuws/gentse-onderzoekersontwikkelen-sterke-bescherming-voor-mobiele-software-endiensten.htm Date: Type and Goal Event: Countries Addresses: URL: This press release is taken up on other news sites, including the Student Paper of Ghent University (http://www.schamper.ugent.be/2013-online/aspire-is-watching-you), Engineeringnet.be (http://engineeringnet.be/belgie/detail_belgie.asp?Id=11280&titel=Gentse%20onderzoekers%20ze tten%20tanden%20in%20mobiele%20databescherming&category=nieuws), and the news page of the Faculty of Engineering and Architecture of UGent (http://www.ugent.be/ea/nl/actueel/nieuws/ gentse-onderzoekers-ontwikkelen-sterke-bescherming-voor-mobiele-software-en-diensten.htm) 3. Activity: Main Leader: Title: Date: Audience Size: Type and Goal Event: Countries Addresses: 4. Activity: Main Leader: ASPIRE D7.02 News Report on Television Bjorn De Sutter, UGent AVS News - The ASPIRE Project 05/11/2013 The coordinator was interviewed, most of the interview was broadcasted on the local television station AVS in the province of Eastern Flanders in Belgium. The interview was mixed with information about the project, and footage taken during the project kick-off meeting. The whole report/news item lasted 2.18 minutes. A screenshot is shown in Figure 11. Belgium Web UEL PUBLIC Page 16 of 37 D7.02 - ASPIRE Dissemination Plan Title: Date: Audience Size: Type and Goal Event: Countries Addresses: URL: €460,000 to develop software protection 01/12/2013 ASPIRE project is presented on UEL website UK http://www.uel.ac.uk/research/news/aspire/ 5. Activity: Main Leader: Title: Date: Audience Size: Type and Goal Event: Web GTO The ASPIRE F7 project 06/12/2013 Company Wiki page on the Gemalto Intranet describing the project and expected results 6. Activity: Main Leader: Title: Date: Audience Size: Type and Goal Event: Web NAGRA The ASPIRE F7 project 13/03/2014 Company, 3000+ a post describing ASPIRE project has been published on Nagravision intranet's blog 7. Activity: Main Leader: Title: Date: Audience Size: Type and Goal Event: Countries Addresses: Press Release Bjorn De Sutter, UGent ASPIRE project to bring strong software protection to mobile devices 18/04/2014 100k International Press Release about the ASPIRE project. International While the project started in Nov 2013, this press release was only released in April 2014 because it took a very long time to get the marketing departments of the project's industrial partners to agree on a text in which their principal investigators are quoted. Such quotations were preferred quite strongly, because or experience is that they make it much more likely that the press release is picked up by various news sites. This news release was released via the Cordis Wire (http://cordis.europa.eu, published 17/4/2014) and AlphaGalileo (http://www.alphagalileo.org/ViewItem.aspx?ItemId=141251&CultureCode=en, published 25/04/2014). Moreover, we contacted our contact persons at ACM to ensure that the news was picked up by ACM TechNews, the most broadly spread news forum in the computing systems domain, reaching an audience of over hundred thousand readers. The press release was indeed picked up by ACM TechNews in its news bulletin of 25/04/2014 (http://technews.acm.org/archives.cfm?fo=2014-04-apr/apr-25-2014.html#720483). 8. Activity: Main Leader: Title: Date: Audience Size: Type and Goal Event: Countries Addresses: URL: 9. Activity: Main Leader: Title: Date: Audience Size: Type and Goal Event: Countries Addresses: ASPIRE D7.02 Press Release Bjorn De Sutter, UGent ASPIRE and Cyber Security 08/05/2014 Short presentation of the ASPIRE project submitted to, and released by the European Cyber Security Round Table in their Cyber Newsflash. International http://www.security-round-table.eu Press Release Bjorn De Sutter, UGent FP7 ASPIRE Project 07/2014 Presentation of the project in the "In the Spotlight" section of HiPEAC info 39, the 39th issue of the newsletter of the FP7 HiPEAC Network of Excellence International PUBLIC Page 17 of 37 D7.02 - ASPIRE Dissemination Plan URL: http://www.hipeac.net/content/hipeacinfo-39-july-2014 10. Activity: Main Leader: Title: Date: Audience Size: Type and Goal Event: Countries Addresses: News Report on Television Bjorn De Sutter, UGent Scuola anti pirati 30/07/2014 A news report on local Italian television station TGVerona included fragments from Bjorn De Sutter's lecture on ASPIRE's software protection evaluation methodology. The whole report was 3.30 minutes long. See the screenshot in Italy Figure 11 - Screenshot local television interview/report on AVS Figure 12 - Screenshot local television report on TGVerona 2.4.2 Project Logo To allow for a head start of the dissemination activities, the project coordinator launched a design contest "Create the next logo for ASPIRE" at the online design contest marketplace 99designs.com on 18 Sep 2013. In a process that lasted three weeks, 355 designs were ASPIRE D7.02 PUBLIC Page 18 of 37 D7.02 - ASPIRE Dissemination Plan submitted by about 40 designers. Initially the coordinator provided feedback on submitted designs himself, in later phases the ASPIRE Steering Board joined the selection process. Eventually, the logo depicted in Figure 13 was selected: Figure 13 - ASPIRE logo Along with that logo, the two buttons depicted in Figure 14 were delivered that can be used in all kinds of graphical disemmination material. Figure 14 - ASPIRE buttons 2.4.3 Project Leaflet As soon as the project had started, the communication company Magelaan (www.Magelaan.be) was hired to design a project leaflet that can be handed out by the project partners at networking events. Reduced quality versions of this 4-page A4 leaflet are shown in Figure 15 to Figure 18. This flyer was distributed at multiple local and international events by multiple project partners. ASPIRE D7.02 PUBLIC Page 19 of 37 D7.02 - ASPIRE Dissemination Plan Figure 15 - Front page ASPIRE leaflet ASPIRE D7.02 PUBLIC Page 20 of 37 D7.02 - ASPIRE Dissemination Plan Figure 16 - Page 2 ASPIRE leaflet ASPIRE D7.02 PUBLIC Page 21 of 37 D7.02 - ASPIRE Dissemination Plan Figure 17 - Page 3 ASPIRE leaflet ASPIRE D7.02 PUBLIC Page 22 of 37 D7.02 - ASPIRE Dissemination Plan Figure 18 - Back page ASPIRE leaflet ASPIRE D7.02 PUBLIC Page 23 of 37 D7.02 - ASPIRE Dissemination Plan 2.4.4 Project Poster On the basis of the project leaflet graphics, we also designed (internally) a general ASPIRE poster that can be reused by all partners at poster events. This A0-poster is depicted in Figure 19 at reduced resolution. Figure 19 - ASPIRE poster ASPIRE D7.02 PUBLIC Page 24 of 37 D7.02 - ASPIRE Dissemination Plan 2.4.5 Social Media Social media can help in spreading project-related information to a wide audience. They are therefore a valuable tool to disseminate project ideas and results. To start using social media, we waited until enough results were becoming available, such that we can avoid socalled sleeping social media accounts. In September 2014, the ASPIRE FP7 Twitter account was launched (https://twitter.com/aspirefp7), where project members can tweet about the project and related subjects. In November 2014, the ASPIRE FP7 LinkedIn group was launched (https://www.linkedin.com/groups/Aspire-FP7-7300827), where stakeholders and other interested people will be able to get connected, and where we will disseminate project results. 2.4.6 Cooperation with Other Projects UGent collaborated with the TETRACOM FP7 project (http://www.tetracom.eu) to further prepare its IP for exploitation by an industrial partner, as documented more extensively in deliverable D7.03. UGent's ASPIRE team also provides input to the vision building processes in the HiPEAC Network of Excellence (http://www.hipeac.net), in particular for drafting the HiPEAC vision documents and roadmaps on compiler technology and their use for protecting and securing software and computer systems. Furthermore, the project coordinator is active in the Digital Asset Protection Association (DAPA) project/organization (http://www.digitalassetprotectionassociation.org/), where he is working with the scientific board members to draft a whitepaper on best practices for publishing and evaluation software protection papers and results. That work is of course heavily influenced by the methodology developed in WP4 of the ASPIRE project. Within Torino, there is a collaboration between the ASPIRE researchers and the researchers of the SECURED project. The SECURED project needs to remotely attest the software that has to execute the user security application. Currently, the preferred approach is the TCGbased one, which uses secure hardware, i.e., the TPM, as root core of trust. After the remote attestation result will be available, the SECURED group will consider the ASPIRE-proposed software-only approach. Additionally, the software protection techniques can be used to mitigate the risks against the SECURED app, the piece of software running on the user terminals in charge for communicating with the SECURED infrastructure and the user security application execution environments. Nagravision participates to the Celtic-plus project (http://celticplus.eu/) on HEVC Hybrid Broadcast Video Services (H2B2VS, http://h2b2vs.epfl.ch). That project investigates the hybrid distribution of TV programs and services over heterogeneous networks. H2B2VS impacts requirements Nagravision puts forward for ASPIRE technology. Vice versa, ASPIRE uncovers options to securely deploy heterogeneous end devices as targeted by H2B2VS. 2.4.7 Interview for EU Yearbook Based on an interview with the project Coordinator (taken on 30 April 2014), an article about the ASPIRE project will be published in the EU Yearbook, which will be compiled by the team of the EU FP7 project SecCord (http://www.seccord.eu). This article is yet another way of making the public community aware of ASPIRE. ASPIRE D7.02 PUBLIC Page 25 of 37 D7.02 - ASPIRE Dissemination Plan Section 3 Global Dissemination Plan Years 2 - 3 Section Authors: Bjorn De Sutter (UGent) In year 2 and 3, the project shifts from the awareness phase to the result phase and eventually the exploitation phase of the project results. In line with, and in addition to the activities mentioned in the dissemination strategy in Section 1.1, the major dissemination activities in those years will be 1. the continuous updating of the website, incl. the publication of project deliverables; 2. the submission of many collaborative papers to conferences by the consortium partners; 3. press releases following major milestones being reached; 4. presence at major European networking and dissemination events; 5. two workshops and a tutorial. For the submission of papers, we refer to the publication venues listed in Section 1.1, as well as additional venues mentioned in the individual partners' dissemination plans presented in Section 4. Regarding the presence at major European networking events, the project will strive for greater presence and visibility than during the first year. In particular, the coordinator will attend the CSP Forum Conference in 2015. The coordinator has already contacted CSP Forum to ensure that, unlike in 2014, the ASPIRE internal review does not accidentally overlap with the CSP Forum Conference. A major update to the dissemination strategy is that instead of organizing one workshop, the ASPIRE consortium will try organize two or more workshops and tutorials. The reason is that different aspects of the ASPIRE project relate to different communities. To reach those different communities, multiple events are necessary. As mentioned in the above strategy, the original goal was to organize a workshop collocated with one of the major networking events, i.e., conferences, in Europe. As a consequence of the collocation, a workshop proposal needs to be created and submitted to the events' calls for workshops. In other words, the decision to organize the workshop or not is not fully controlled by the ASPIRE consortium itself. One workshop proposal has been prepared and submitted to the International Conference on Software Engineering (ICSE) 2015. See Section 2.2.4 and Appendix A for more details. The workshop selection process at ICSE is quite competitive, but on 20 November 2014 we got notification that the workshop was indeed accepted. So this will provide an excellent opportunity to interact with and disseminate to the software engineering community. A second workshop proposal will be submitted to the HiPEAC 2016 Conference. The acceptance rate there is higher, and UGent organizes the main conference, so we trust that the proposal will effectively be accepted. Through such a workshop, we will reach the compiler research community. In addition we propose to organize one or more tutorials on ASPIRE technology. These will be organized towards the end of the project, or even after the project has ended, when the technology has reached enough maturity to include hands-on sessions. ASPIRE D7.02 PUBLIC Page 26 of 37 D7.02 - ASPIRE Dissemination Plan Section 4 Per Partner Dissemination Plans Section Authors: Bjorn De Sutter (UGent), Mariano Ceccato (FBK), Cataldo Basile (POLITO), Michael Zunke (SFNT), Jerome D'Annovile (GTO), Brecht Wyseur (NAGRA), Paolo Falcarin (UEL) In Appendix B7 of the DoW - Annex I Part B, all ASPIRE consortium partners already briefly presented their dissemination plans. In this section, we extend those presentations. In this section, italic text is copied from the DoW - Annex I Part B Appendix B7. 4.1 Ghent University UGent plans to publish the main results of the project to which it contributes in the scientific publication venues mentioned in Section B3.2.1 of the DoW. As its core research domain is compiler technology, it will also publish results in compileroriented publication venues such as DAC, DATE, CGO, PLDI, LCTES, CC, the HiPEAC conference, TACO and TOPLAS. Concretely, and as first and lead author, UGent/CSL is planning to write and to submit papers on the following topics: • ASPIRE software protection metric framework (task T4.2 - 2-3 papers); • existing binary code control flow obfuscations and their potential to thwart reverseengineering tools such as IDA Pro for ARM code (task T2.4 - 1 paper); • advanced control flow obfuscations based on two-way predicates and complex data structures for encoding predicate values (task 2.4 - 1-2 papers); • the anti-debugging technique (task T2.5, 1-2 papers); • strategies for choosing code splitting points to obfuscate control flow (tasks T2.3 and T3.1); • the public challenge (task T5.3). As potentially first author, but not necessarily so, UGent also plans to write and to submit papers on all other aspects of the project to which it contributes, i.e., almost all aspects. As coordinator of the project, UGent has already proposed to make additional existing deliverables public, such as deliverable D1.02, after its content has been revised and condensed into a paper. The consortium has agreed with this. Near the end of the project, the coordinator will take the initiative to write a book that brings together all ASPIRE results. UGent will also participate in all awareness-oriented and research-oriented dissemination activities mentioned in Section 1.1, in particular in the ISSISP summer school that it coorganizes and at which it lectures. In July 2014, the project coordinator already gave a lecture on software protection evaluation at ISSISP 2014 in Verona. For 2015 and 2016, potential countries for hosting the summer school are Armenia and Brazil. The project coordinator is involved in the choice and determination of the program. As coordinator and face of the ASPIRE project, UGent will actively promote the project at related networking events and take part in the exploitation-oriented activities where useful. ASPIRE D7.02 PUBLIC Page 27 of 37 D7.02 - ASPIRE Dissemination Plan In 2014, this included a so-called Dagstuhl seminar (Dagstuhl Seminar 14241 on Challenges in Analysing Executables: Scalability, Self-Modifying Code and Synergy, June 9–13, 2014), and the ARO Workshop on Continuously Upgradeable Software Security and Protection, Jun 7, 2014. In addition, the project coordinator gave a keynote speech at the First Workshop on Cryptography and Security in Computing Systems, Jan 20, 2014. Similar activities will be taken up during year 2 and 3 of the project, and after the project has finished. In 2015 and 2016, the coordinator will also participate more actively in CSP Forum activities. The main achievements with Diablo are also published on the Diablo website. In due time, and as allowed by the commercial licensing agreements between CSL and industrial third parties, UGent plans to open-source all of the extensions developed in ASPIRE in and on top of its Diablo link-time framework. At that time, the Diablo (diablo.elis.ugent.be) website will also be revamped, to put additional emphasis on the big steps forward realized in the ASPIRE project. As software protection is a prime example of compiler and system software technology, UGent also plans to use all the available means of the HiPEAC3 Network of Excellence, which is coordinated by UGent, to disseminate the results to the European compiler & computer architecture research community. At the HiPEAC 2015 conference, the coordinator will present two posters. A first one will be presented at the TETRACOM workshop collocated with the conference. This will present the successful technology transfer to Samsung Research UK. The second one will present the project at the HiPEAC 2015 General Poster Session. Also at future so-called Computing System Weeks, organized by HiPEAC, ASPIRE results will be presented. As the HiPEAC conference is organized by the administrative personnel that also supports the ASPIRE management activities within UGent/CSL, UGent will take the lead in organizing the HIPEAC workshop to be collocated with HiPEAC 2016. In addition to the aforementioned, UGent will also take up its responsibilities with regard to the maintenance and extension of the ASPIRE website as a knowledge base on relevant work in the domain of ASPIRE. Finally, UGent plans to let students perform their master thesis research in the context of ASPIRE. For the academic year 2014-2015, three students have already started their research, on topics in the domains of (1) software protections of Windows applications based on static linking, (2) advanced opaque predicates, and (3) anti-debugging techniques. All three are progressing well, so we expect to publish their master theses in June 2015. For the academic year 2015-2016, we will submit a new round of research project proposals for in March 2015. 4.2 Politechnico Di Torino POLITO plans to submit results of security evaluation to top journals and conferences on software engineering and security, as mentioned in Section B3.2.1 of the DoW. POLITO will also contribute to the dissemination of ASPIRE results at European level, and to foster collaboration with other EU funded project. A special role will have the participation to EU coordination activities, such as the current EffectPlus events and clusters. Concretely, and as first and lead author, POLITO is planning to write and to submit papers on the following topics: • Software Protection, we expect important publishable results in a novel field of remote attestation that we are designing in this phase of the project, the Implicit Remote Attestation. ASPIRE D7.02 PUBLIC Page 28 of 37 D7.02 - ASPIRE Dissemination Plan • Security model, we expect a number of publications in software risk analysis and mitigation models, from the work to build the ASPIRE Knowledge Base (AKB), as presently, there is no model of the software protection ecosystem in literature that can be compared to the AKB on accuracy and expressiveness • Ontology-based enrichment framework, we expect important publishable results from the ASPIRE Enrichment Framework in task T5.2 in the ontology and formal methods field. • Decision support and software protection optimization models, we expect a number of publications from the work on the decision of the “best” combination of protections to protect the application assets is a new idea that we plan to publish as soon as the ADSS results will be mature. • Empirical assessment of software protection, we expect a number of publications from the results of the empirical evaluation of protections with academic and industrial participants. As potentially the first author, but not necessarily so, POLITO also plans to write and to submit papers on all other aspects of the project to which it contributes, which are mainly related to WP3, WP4, and WP5 aspects. Dissemination of project results will be also conducted within the Politecnico di Torino, by presenting the objectives of the project in the course of “Sicurezza dei sistemi informatici” and “Computer system security”, having Antonio Lioy and Cataldo Basile as teachers. Moreover, we plan to have 5-10 thesis at the end of the three years of the project, presenting small and focused innovations conducted within the ASPIRE project. POLITO will also continue dissemination: • Internal, within the Politecnico, by presenting the ASPIRE project and ASPIRE results to other research groups, that may be also involved other EU proeject • External, by participating to conferences, workshops, and EffectPlus and other EU events, and • External, by disseminating ASPIRE goals and results on national media. 4.3 Nagravision As for the result phase of the dissemination, NAGRA aims to establish public credibility by publishing new results at top-level conferences such as EUROCRYPT, CRYPTO, CHES, CARDIS, DRM, ESORICS; publish corporate white-papers and articles for journals. NAGRA employees are often also speakers at relevant events, which enables evangelisation. In addition, NAGRA has several tracks of dissemination planned. This includes both internal dissemination as external dissemination of ASPIRE results. As for internal dissemination, this includes • Frequent publication of ASPIRE results and project progress on an internal blog, • Presentation of the project results at security workshops, in particular “security deep dives”. This is a special series of workshops that is organized every 6 months in which the Kudelski Group security experts gather to discuss and disseminate various security topics. The Principal Investigator of NAGRA to the ASPIRE project is a frequent speaker at this workshop and has presented about the project in the past editions. This dissemination will continue in the next editions. Results of the ASPIRE project will be further disseminated to software developers and architects in NAGRA’s business units. This has for example already been done for the demonstrator that has been developed in WP6. ASPIRE D7.02 PUBLIC Page 29 of 37 D7.02 - ASPIRE Dissemination Plan As for the exploitation phase of the dissemination, NAGRA will also participate to tradeshows with its products that are protected with the ASPIRE tool chain; in particular, we shall expose the project results at our booth at IBC (the yearly International Broadcasting Convention) and participate to CES (the yearly Consumer Electronics Show). For further external dissemination, NAGRA envisions two main tracks. 1. To disseminate towards business audience, aiming directly to attract new customers by demonstrating technology. This can be achieved by demonstrating ASPIRE-based technology and products at tradeshows such as IBC (the yearly International Broadcasting Convention) or CES (the yearly Consumer Electronics Show), which are the main events in our market segment. This is planned for towards the end of the ASPIRE project, when the results become mature enough for presentation. 2. To establish credibility by publishing new results and showing our participation to the ASPIRE project. This targets a more research-oriented community, with publications and conferences and workshops of relevance. In the first year of the project, NAGRA employees have been presenting about ASPIRE at scientific events, as shown in the list in Section 2, and NAGRA plans to continue to support such activities. 4.4 Fondazione Bruno Kessler FBK plan to submit results of security evaluation to top journals and conferences on empirical software engineering, as mentioned in Section B3.2.1 of the DoW. Concretely, and as first and lead author, FBK is planning to write and to submit papers on the following topics: • Implementation and assessment of data obfuscation based on state-of-the-art approaches, e.g. residue number coding (Task T2.1); • Improvement and extensions of state-of-the-art data obfuscation approaches, towards more secure solutions that are more resilient to static analysis (Task T2.1); • Client-server code splitting based on barrier slicing and its performance assessment (Task T3.1); • Source code level software metric to measure the impact of software protection approaches (task T4.2); • Design, results, discussion and interpretation of the results of the controlled experiments devoted to assess software protection with academic participants (Task T4.3) and with industrial participants (Task T4.4). As potentially the first author, but not necessarily so, FBK also plans to write and to submit papers on other topics of the project to which it contributes: • Presentation of the state of the art attacks on software integrity for the definition of a comprehensive attack model (Task T1.4); • Code diversity and heuristics to search in the search space for the most “diverse” versions to deploy with updates (Task T3.3); • Design and results, discussion and interpretation of the public challenge (Task T4.5). Dissemination of project results will be also conducted by presenting the objectives of the project in the course of “Security Testing” that Paolo Tonella and Mariano Ceccato teach in the Master Degree in Computer Science in the University of Trento. Moreover, small and well-defined activities will be identified in the tasks lead by FBK, to be assigned as master theses to master students. As such, students involved in master theses related to the project will be required to spend some time to familiarize with the specific ASPIRE D7.02 PUBLIC Page 30 of 37 D7.02 - ASPIRE Dissemination Plan context of ASPIRE. With the help of the thesis supervision, the master student will elaborate, implement and assess a small and novel contribution that fits the objective of the project. As a matter of fact, this strategy was already successful adopted in the first year of the project, as demonstrated by the theses listed in Section 2.1. 4.5 University of East London UEL plans to publish the main results of the project to which it contributes in the scientific publication venues mentioned in Section B3.2.1 of the DoW. UEL will coordinate the dissemination activities in ASPIRE project and next to the ASPIRE workshop, UEL will co-organize workshops on software protection collocated with important international conferences in software engineering (ICSE) and security (CCS). Concretely, and as first and lead author, UEL is planning to write and to submit papers on the following topics: • Code Mobility as Software Protection, we expect important publishable results in the novel field of network-based protections based on code mobility, and dynamic renewability of code. • Code diversity and heuristics to search in the search space for the most “diverse” versions to deploy with updates (Task T3.3); • Extension of code mobility with UGent's Diablo binary rewriter (T3.1); • Extension of code mobility with SafeNet's VM on Android (T3.1); • Security model, we expect a number of publications on Petri-nets attack models and related toolset, as presently, there is no model of the software protection attacks in literature and no tools to evaluate them. As potentially the first author, but not necessarily so, UEL also plans to write and to submit papers on all other aspects of the project to which it contributes (in WP3, WP4, and WP5). In particular, UEL wants to contribute to the following activities: • Presentation of the state of the art attacks on software protection for the definition of a comprehensive attack model (Task T1.4), with particular focus on network-based protections; • Extension of code mobility with remote attestation (Tasks T3.1 and T3.2). • Construction of the ASPIRE Knowledge Base (AKB) by adding and extracting attack models (Task T4.1 and T5.2); • Decision support and software protection optimization models: decision of the “best” combination of protections to protect the application assets; • Empirical assessment of software protection, we expect a number of publications from the results of the empirical evaluation of protections with academic and industrial participants. UEL and NAGRA will co-organize a workshop on software protection accepted as collocated event with the International Conference in Software Engineering (ICSE-2015) in May 2015. UEL will lead the workshop organization, setting up the Program Committee, advertising the call for papers and organizing the papers review among the PC members. Dissemination of project results will be also conducted within UEL, by presenting the objectives of the project in the modules of "Programming Languages" and “Computer security”, having Paolo Falcarin and Christophe Tartary as lecturers. Moreover, we plan to ASPIRE D7.02 PUBLIC Page 31 of 37 D7.02 - ASPIRE Dissemination Plan have 3-10 overall undergrad and postgrad final thesis at the end of the three years of the project, presenting small and focused innovations performed during the ASPIRE project. UEL will also continue dissemination: • Internal, by presenting the ASPIRE project results to other research groups; • External, by participating to conferences, workshops, and other EU events. 4.6 SFNT Germany During the results phase SFNT will market the participation and results through its marketing channels including press releases where applicable. Once promising results of the ASPIRE metric are available and SFNT can show its value the metric is expected to be used to classify protections in order to start educating the market about efficient protections. Internally product enhancements will be guided by the metrics. To prepare for this the project is promoted internally to the Senior System Architects and the respective product owners. Discussion with the product owners already have started and feedback to development is expected to start as soon as positive results are achieved. For the exploitation phase SFNT will promote the metrics developed in ASPIRE in its products and in relevant developer conferences. This includes participation in trade shows and press releases about it. The metric could be introduced to the SIIA and might influence the way how security solutions will get judged towards the well-known Codie Awards. 4.7 Gemalto A first action is to disseminate ASPIRE results within the Gemalto company. Several internal workshops will be organized during the last year of the project and demonstrations of the protection techniques are demonstrated to Software developers in Business Units in order to collect feedbacks. These feedbacks will contribute to define the Gemalto ASPIRE product. The target teams identified so far are the eBanking teams. As the external dissemination activity, Gemalto intends to rely on existing connections settled in a Living Lab. Finland initiated the concept of Living Lab in 2006 with the idea to gather users, researchers and implementers in an experiential environment where the user is associated in the creation process. It is mainly IT focussed but it has a broader spectrum. There are more than 300 Living Labs in Europe. It is oriented on experimentations with users to assess innovations not to test alpha/beta releases of products but to induce the product definition. Participants to this ecosystem are located in the same geographical area that can be a city or a region. The Secure Electronic Transactions cluster (TES acronym in French) is part of the French Normandy Living Lab (NLL). It is focussed on the three main topics: contactless payment, eCitizen and eAdministration. Experiment has been conducted in 2005 (“Caen ville NFC”) and in 2008 on payment with mobile device. Gemalto is member of TES. The plan is to be active in this cluster by proposing a concrete experimentation about contactless mobile payment based on applications secured by ASPIRE. From M24, some tangible protections can be proposed to members of the cluster. The motivation of this cooperation is to define the Gemalto ASPIRE product and the expected results are feedback on the ACTC, the protection configuration, tools would be required to assist application developers in the source code annotation activity, ADSS assessment, reports convenience, ... ASPIRE D7.02 PUBLIC Page 32 of 37 D7.02 - ASPIRE Dissemination Plan Section 5 List of Abbreviations ACM Association of Computing Machinery ARO Army Research Office ASPIRE Advanced Software Protection: Integration, Research and Exploitation CARDIS Smart Card Research and Advanced Application Conference CC Compiler Construction CCS Computer and Communications Security CGO Code Generation and Optimization CHES Cryptographic Hardware and Embedded Systems CRYPTO Cryptology CSL Computer Systems Lab CSP Cyber Security & Privacy DAC Design Automation Conference DAPA Digital Asset Protection Association DATE Design, Automation & Test in Europe DoW Description of Work DRM Digital Rights Management ESORICS European Symposium on Research in Computer Security EU European Union EUROCRYPT Annual International Conference on the Theory and Applications of Cryptographic Techniques H2B2VS HEVC Hybrid Broadcast Video Services HiPEAC High Performance and Embedded Architecture and Compilation IEEE Institute of Electrical and Electronics Engineers ICSE International Conference on Software Engineering IT Information Technology LCTES Languages, Compilers, Tools and Theory for Embedded Systems NFC Near Field Communication NLL Normandy Living Lab PLDI Programming Language Design and Implementation RA Remote Attestation SECURED SECURity at the network EDge SIIA Software & Information Industry Association TACO Transactions on Architecture and Code Optimization TES Secure Electronic Transactions (Transactions Electroniques Securisées in French) TETRACOM Technology Transfer in Computing Systems TCG Trusted Computing Group TOPLAS Transactions on Programming Languages and Systems TORSEC Torino Security TPM Trusted Platform Module WP Work Package ASPIRE D7.02 PUBLIC Page 33 of 37 D7.02 - ASPIRE Dissemination Plan Appendix A First ASPIRE Workshop Proposal Software Protection Workshop Security Evaluation and Industrial Best Practices Paolo Falcarin* Brecht Wyseur School of Architecture, Computing and Engineering University of East London (UEL) Docklands Campus, E16 2RD London, United Kingdom [email protected] , +44 20 8223 6086 *main contact person Nagravision S.A. Route de Genève 22-24, 1033 Cheseaux-sur-Lausanne, Switzerland [email protected] Abstract (for ICSE website) - The need for adequate protection of software is clear. Critical infrastructures need to be protected against vulnerability exploitation; games against cheating; our banking applications against malicious tampering; or software vendors need to protect their software against piracy – to just name a few. Despite the fact that a lot of research has been conducted in the past decade in the area of Code Obfuscation and Software Anti-Tampering, software applications are often still vulnerable. That is because we need better techniques; we need to be able to evaluate the robustness thereof; and we are missing appropriate tools. The aim of this workshop is to bring together researchers and industrial practitioners both from software protection and the wider software engineering community to discuss software protection techniques, evaluation methodologies, and tools, in order to define directions for future research. The workshop objective is creating a community working in this new growing area of security, and to highlight its synergies with different research fields of software engineering, such as: software modelling, program analysis, reverse engineering, code transformation, testing, empirical evaluation, and software metrics. Index Terms—Obfuscation, Information Hiding, DRM, remote attestation, tamper-proofing, reverse engineering, security evaluation, empirical experiments, software diversity, renewability. is crucial to mitigate attacks such as reverse engineering, piracy, and tampering. Software engineers need to be aware of these threats, and companies need to organize appropriately. Secure coding is a first step. Inevitably, the development and build process need to be impacted as appropriate tools to deploy protection techniques need to be deployed. That is a challenging step for many companies. And last but not least, it needs to be ensured that the robustness achieved is adequate. All these steps are vital to defend companies’ or individuals’ assets such as service keys, intellectual properties, and program execution correctness. Effective deployment of protection techniques can mean the difference between business survival and failure. A computer system's security can be compromised in many ways. A denial-of-service attack can make a server inoperable, or an eavesdropper can reap financial rewards by intercepting the communication link between a customer and her bank through a manin-the-middle (MITM) attack. What all MITM scenarios have in common is that the adversary is an untrusted entity that attacks a system from the outside. If we remove this assumption and if we allow anyone operating a computer system (from system administrators down to ordinary users) to compromise that system's security, we find ourselves in a more complex scenario that has received comparatively little attention. Methods for protecting against such ManAt-The-End (MATE) attacks are variously known as tamper-proofing techniques, digital asset protection, or, more commonly, software protection. More in general, software protection research aims at developing algorithms that protect the integrity of data and software applications deployed on un-trusted devices. 1. Introduction and motivation Software Protection is crucial for many individuals and companies that produce or use software; these may be software vendors, or any service industry relying on software applications. Software protection ASPIRE D7.02 PUBLIC Page 34 of 37 D7.02 - ASPIRE Dissemination Plan 2. Relevance to Software engineering Software Protection has been an intrinsic problem of software engineering since software has become a commercial product: Fig. 1 shows the cover of the tech-news journal The Transactor (published in Canada), and its special issue on Software Protection and Piracy. For example, even the simple specification of the assets in the software to protect and of the threats to mitigate (which depend on the software but also on the business model of the vendor) is a complex problem. And so is the reporting of the provided protection to the software developer. Thirdly, as software protections try to prevent MATE attacks, they unfortunately also prevent benign activities such as debugging and coverage analysis. How to reconcile software protections with software engineering activities such as validation, testing, debugging, and certification is an open challenge. 3. Themes and goals Fig.1: The Transactor magazine Such issue was published in November 1984 and dedicated to Software Protection problems for the glorious Commodore-64 personal computer. This example shows how piracy is a long-standing problem, while software protection has just recently evolved from a set of disparate technical tricks into a proper research field. Software protection is an area of growing importance in software security: leading-edge researchers have developed several pioneering approaches for preventing or resisting software piracy and tampering but only recently, one comprehensive textbook on the subject has been published [1]. Software Protection scope spans a range of different heterogeneous research topics: obfuscation and cryptography [2], digital rights management [3], information hiding [4], reverse engineering [5], compilers and code transformations [6], and distributed systems [7]. Software protection is relevant to software engineering and a challenge for software engineers, for several reasons. First, as protections typically consists of components injected into software and of transformations applied to the original, non-protected software to invoke the protections, a good software architecture is needed to integrated multiple protections. This is a non-trivial design issue. Secondly, software protections provide nonfunctional features, of which the deployment should ideally not put a burden on the designers and developers of the software to be protected. This implies that tools should deploy the protections (semi)automatically and that non-security experts should be able to deploy the tools. This is an open challenge. ASPIRE D7.02 This workshop will consist of a selection of articles aimed at providing software engineers with appropriate methods, approaches, techniques, and tools to support evaluation and integration of software protection techniques into their software products. The articles will present mechanisms and strategies to mitigate one or more of the problems faced by software protection. The goal of this workshop is to bring together researchers and industrial practitioners both from software protection and the wider software engineering community to share experience and provide directions for future research, and to stimulate the use of software engineering techniques in novel aspects of software protection The workshop aims at creating a community working in this new growing area of security, and to highlight its synergies with different research fields of software engineering, like: software modelling, program analysis, reverse engineering, code transformations, testing, empirical evaluation, and software metrics. The target audience of this workshop will be scholars and practitioners who are interested in getting a clear state-of-the-art understanding about the possible menaces to their intellectual property, and the related advantages and disadvantages of different software protection techniques, and who wants to gain practical knowledge about how to deal with such techniques and tools in order to protect their work from existing threats. Articles in this workshop might also investigate usage of software protection by malware, including techniques to contrast reverse engineering, and avoid anti-virus detection. Examples of research questions are - What are the current threats to intellectual property and what are the key protection mechanisms? - How to evaluate and compare different protection tools and techniques? - What lessons can be learned from failures due to the lack of attention to software protection? PUBLIC Page 35 of 37 D7.02 - ASPIRE Dissemination Plan - - How is software protection used to prove authorship and tracking violation? How to evaluate the effectiveness of software protections? How long before the software will be cracked? How to deploy software protection with minimal interference with existing software design and development processes. 4. Organization The desired length of the workshop is one day, possibly on Tuesday 19th. However we can accept to move it on other permitted days, with preference of Monday 18th rather than Saturdays or Sundays, as many possible participants from industry would not be able to attend in week-ends. The basic equipment needed is a projector, a whiteboard, wifi connection, desks to accommodate people with laptops, power sockets, room capacity for 20 to 50 people; The workshop will be open and we will solicit participation from people from different communities in software engineering to explore the synergies with software protection; in the software security domain we will advertise the workshop in the ASPIRE project website [9] and to the consortia of other related projects. We have already established a community of people working in software protection through the former RE-TRUST workshops in 2008 and 2009, the special issue of IEEE Software in 2011, and the international summer schools on software protection [12]. The two editions of RE-TRUST workshop ran for 2 days with about 30 attendees and we expect a similar number of participants; A draft workshop webpage [10] has been created on the website of the ASPIRE FP7 project [9], with the call for papers. The workshop structure will start with full papers (30 min. presentations) in the morning session, possibly starting with an invited speaker. In the afternoon there will space for be short papers (15 min presentations), with particular emphasis for industrial contributions, position papers and PhD student contributions. The workshop will conclude with a panel of software protection experts. 5. Organizers and Program committee A. Paolo Falcarin Paolo Falcarin is a Reader (Associate Professor) at University of East London. He got his Ph.D. in Software Engineering in 2004 at Politecnico of Torino (Italy). His research interests are: software protection for distributed systems, renewable and tamper- ASPIRE D7.02 resistant software, system modelling, service oriented computing. Paolo Falcarin was one of the guest editors of the special issue on software protection of IEEE Software in 2011 [8]. Moreover, he organized the Telecom Service Oriented Architecture workshop (TSOA 2007), affiliated with ICSOC 2007 in Vienna (Austria): it was a one-day workshop bringing together more than 25 participants from industry and academia on service oriented computing in the telecommunications domain [12]. B. Brecht Wyseur Brecht Wyseur is a security architect and cryptography expert at Nagravision S.A., a Kudelski Group company, world leader in digital security and convergent media solutions for the delivery of digital and interactive content. His main interests are shared between cryptography and software security: Cryptography, computer security, security architectures (CAS and DRM), white-box cryptography, software security (obfuscation, software tamper resistance, and remote attestation). He obtained his PhD from KULeuven, Belgium, in 2009. Prior to that, he received a master degree in mathematics from KULeuven. In the latest years, he has been active in several research projects on cryptography and software security funded by the European Commission, the Flemish and the Belgian government; published at international conferences and journals, filed patents, and have been a regular invited speaker. In the past he organized two editions of RETRUST workshop in 2008 and 2009 in Italy: they were two-day workshops bringing together more than 40 participants from industry and academia on remote entrusting and software protection [8]. C. Program Committee List of program committee members: - PUBLIC Jerome d'Annoville – Gemalto, France Jean Daniel Assel – Gemalto, France Cataldo Basile - Politecnico di Torino, Italy Mariano Ceccato -- Fondazione Bruno Kessler, Italy Christian Collberg – University of Arizona, USA Bart Coppens - University of Ghent, Belgium Mila Dalla Preda – University of Verona, Italy Koen DeBosschere – University of Ghent, Belgium Bjorn DeSutter - University of Ghent, Belgium Werner Dondl – SafeNet Inc., USA/Germany Michael Franz – University of California, Irvine, USA Roberto Giacobazzi – University of Verona, Italy Johannes Kinder – Royal Holloway Univ. of London, UK Page 36 of 37 D7.02 - ASPIRE Dissemination Plan - Antonio Lioy – Politecnico di Torino, Italy Isabella Mastroeni - University of Verona, Italy Christian Mönch – Conax, Norway Mattia Monga – University of Milan, Italy Riccardo Scandariato – Chalmers University, Sweden Christophe Tartary – University of East London, UK Clark Thomborson, University of Auckland, New Zealand Paolo Tonella -- Fondazione Bruno Kessler, Italy Gaofeng Zhang – University of East London, UK Michael Zunke – SafeNet Inc., USA/Germany Short list of possible committee members or contributors: - André Nicoulin – Nagravision, Switzerland - Mikhail Atallah – Purdue University, USA - Ginger Myles, IBM Almaden Research Center USA - Alexandre Gazet -- Sogeti, ESEC, France - Yoann Guillot -- Sogeti, ESEC, France - Haya Shulman – University of Darmstadt, Germany - Andy King – University of Kent, UK - Mariusz Jakubowski - Microsoft Research, USA - Jens Krinke - University College London, UK - Jasvir Nagra - Google Inc., London, UK - Yuan Gu – Irdeto, USA - Wei-Ming Khoo, University of Cambridge, UK - Mihai Christodorescu, Qualcomm, USA - Prashant Gupta, McAfee Labs, UK - Stefan Katzenbeisser - Philips Research, Netherlands - Klaus Kursawe -- Philips Research, The Netherlands - Bart Preneel -- Katholieke Universiteit Leuven, Belgium Acknowledgment The workshop is partly sponsored by the ASPIRE project [9], funded from the European Union Seventh Framework Programme FP7 under grant agreement number 609734. REFERENCES [1] C. Collberg, J. Nagra. Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Addison Wesley, 2009. [2] Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., & Waters, B. (2013, October). ASPIRE D7.02 Candidate indistinguishability obfuscation and functional encryption for all circuits. In Foundations of Computer Science (FOCS), 2013 IEEE 54th Annual Symposium on (pp. 40-49). [3] Zeng, Wenjun, Heather Yu, and Ching-Yung Lin, eds. Multimedia security technologies for digital rights management. Vol. 18. Academic Press, 2011. [4] Brecht Wyseur, "White-box cryptography: hiding keys in software." NAGRA Kudelski Group (2012). [5] Dube, T.E. Birrer, B.D. Raines, R.A. Baldwin, R.O. Mullins, B.E. Bennington, R.W. Reuter, C.E.: Hindering Reverse Engineering: Thinking Outside the Box, IEEE Security & Privacy, 2008, Vol 6(2), pp 58-65 [6] S. Debray, W. Evans, R. Muth and B. De Sutter, Compiler Techniques for Code Compaction. In ACM Transactions on Programming Languages and Systems, 22(2), March 2000, pp. 378-415. [7] R. Scandariato, Y. Ofek, P. Falcarin, and M. Baldi, “Application-Oriented Trust in Distributed Computing,” in Proceedings of the 2008 Third International Conference on Availability, Reliability and Security. IEEE Computer Society, 2008, pp. 434–439. [8] P. Falcarin, C. Collberg, M. Atallah, and M. Jakubowski. "Guest Editors' Introduction: Software Protection." Software, IEEE 28, no. 2 (2011): 24-27. [9] EU FP7 ASPIRE project (Advanced Software Protection: Integration, Research and Exploitation). On-line at http://www.aspirefp7.eu/ [10] International Workshop on Software Protection (draft homepage). On-line at http://www.aspirefp7.eu/spw2015/ [11] RE-TRUST workshops. On-line at http://retrust.dit.unitn.it/ [12] International Summer School on Information Security and Protection, 2011, 2012, 2013 and 2014 editions online On-line at http://issisp.elis.ugent.be/, http://profs.sci.univr.it/isisp12/ISISP12/Welcome .html, http://issisp2013.nwu.edu.cn/, and http://issisp2014.di.univr.it/. [13] Telecom Service Oriented Architecture Workshop, 2007. On-line at http://icsoc2007.servtech.info/workshops.html PUBLIC Page 37 of 37
© Copyright 2024